A significant Linux vulnerability that allows remote code execution to Linux server(s) was announced late yesterday, named GHOST: CVE-2015-023. Full details of the vulnerability are available at http://www.openwall.com/lists/oss-security/2015/01/27/9. While the issue has been fixed as early as Mar 21, 2013 it was not marked as a security threat and as a result the patch was not backported to most of the stable and long-term-support distributions like RHEL, Centos, Ubuntu 12.04 etc which left them vulnerable.

Updates for CentOS are already available in the Updates repository so a simple "yum update" will install the required patches to mitigate this vulnerability.

Qualys have provided a simple C program to test if a machine is vulnerable

The 2014 Holiday Season is over and so is the shopping fever. The analytics company Retail Next noted a 4% rise in sales compared to last year due to a much stronger online purchasing.

According to Shelley Kohan, vice president of retail consulting at RetailNext, "The online promotions that came out early in November really took a lot out of the brick-and-mortar business as they captured the shopper very early this year" (reuters.com).

Considering the above, we can’t stress more on the need of maintaining a perfect website performance and availability. The more people visit your website, the harder it becomes to maintain low response time and high uptime. And, these two are important if you care enough about your customers’ flawless shopping experience and your sales or conversions.

We monitored 11 of the most popular websites for gifts during the Holiday Season (November 24, 2014 – January 04, 2015) in order to see whether they could bear possible heavy traffic load during the shopping fever.

Most of them demonstrated excellent uptime – above 99.5%.

As for the response time – it varied between 2 and 12 seconds, meaning that some websites were caught off guard during traffic surges.

The 2014 hurricane season is over and according to Weather.com, it was “one of contrasts and paradoxes.”

The reason behind is that the Atlantic basin produced the fewest tropical cyclones and named storms since 1997, and at the same time – it brought the strongest landfalling hurricane in the mainland U.S, in six years, and the strongest hurricane in four years, according to the website.

These weather swings have been neatly reported by the weather websites which must have been well-prepared to bear heavy traffic load during the times of unexpected weather occurrings.

We decided to monitor 5 of the most popular websites to see whether they managed to cope with unforeseen traffic surges. And, here’s what we found out:

Three out of five websites demonstrated perfect average response time – below one second.

Nhc.noaa.gov scored the lowest of all response time – 0.39 seconds; last year, the same website demonstrated enviable performance as it had the lowest response time again

Salvationarmy.org reached 2.4 seconds of response time which is much higher than last year’s when it was only 0.9. That contrast only shows that the high response time this year was simply accidental

The uptime (availability) of all monitored targets was above 99.85%

The stats above show that the monitored websites were up and running throughout the whole period and did no experience any major downfalls. Also, most of them loaded quite fast so visitors were able to receive the important weather updates almost instantly.

As you probably know, a number of news sources, corporations, and the OpenSSL team reported yesterday 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is vulnerable at the protocol level. More information about the vulnerability can be found here - CVE-2014-3566.

To prevent any potential leaks from this vulnerability we have immediately disabled SSLv3 on all our web servers including the API endpoints. Our monitoring agents are not affected by this change and will continue to support SSLv3 for the time being in order to be able to monitor properly servers that do support SSLv3 only. We are urging all customers to disable SSLv3 on hosts interacting with the our services as soon as possible and upgrade to use Transport Layer Service (TLS).

Here are a few samples how to configure your potentially vulnerable services and disable SSLv3.

Apache

Change all SSLProtocol directives in your httpd config to

ALL -SSLv2 -SSLv3

and restart the server.

Nginx

Add/edit the the following text to your server directive

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you can't disable SSL 3.0 entirely, there is TLS_FALLBACK_SCSV patch that can help avoid the attack, if both the client and the server support it.